Should autocomplete=“off” be used for all sensitive fields?

Question

What are your thoughts about this issue in regards to an e-commerce environment?

Do you think it is wise to turn autocomplete off on all sensitive input fields such

Answer 1

Most e-commerce sites disable autocomplete for credit card fields. They store and redisplay the info when an authenticated user returns, then only require the user to re-enter the CVV. This way the site gets users to sign up (otherwise, they'd have to re-enter the full CC info every time), keeps the CC info masked on subsequent visits, and only burdens the user with entering a three-digit number. (It's also a small way of building secure practice around CC numbers so users will hopefully be more protective of them.)

Keep in mind that setting autocomplete on/off only addresses confidentiality of data for shared environments, i.e. more than one person accesses the same browser. For example, if your app were intended for a classroom, then it would make more sense to disable autocomplete entirely since the app will be re-used in the same browser by many different people.

Consider it an (in)convenience feature, not a security feature. You can't protect users from every dumb mistake when sharing browsers (like not logging out) and, to be nicer to dumb users, it won't have any bearing on client-side attacks like keyloggers. If the shared environment isn't secure, then your app can't do much to protect its users.